sepolicy/policy/chromeos/cros_rootdev.te - third_party/platform2 - Git at Google

 type cros_rootdev, domain, chromeos_domain;

 domain_auto_trans_nnp(cros_chromeos_install, cros_rootdev_exec, cros_rootdev)
 domain_auto_trans_nnp(cros_is_running_from_installer, cros_rootdev_exec, cros_rootdev)
 domain_auto_trans_nnp(cros_os_install_service, cros_rootdev_exec, cros_rootdev)

 allow cros_rootdev {
   cros_chromeos_install
   cros_is_running_from_installer
   cros_os_install_service
 }:fd use;
 allow cros_rootdev {
   cros_chromeos_install
   cros_is_running_from_installer
   cros_os_install_service
 }:fifo_file rw_file_perms;

 allow cros_rootdev device:blk_file getattr;
 allow cros_rootdev sysfs:dir read;
 allow cros_rootdev sysfs:file read;
 allow cros_rootdev sysfs_dm:dir r_dir_perms;
 allow cros_rootdev sysfs_dm:file read;
 allow cros_rootdev sysfs_loop:dir search;
 allow cros_rootdev sysfs_loop:file read;
	type cros_rootdev, domain, chromeos_domain;

	domain_auto_trans_nnp(cros_chromeos_install, cros_rootdev_exec, cros_rootdev)
	domain_auto_trans_nnp(cros_is_running_from_installer, cros_rootdev_exec, cros_rootdev)
	domain_auto_trans_nnp(cros_os_install_service, cros_rootdev_exec, cros_rootdev)

	allow cros_rootdev {
	cros_chromeos_install
	cros_is_running_from_installer
	cros_os_install_service
	}:fd use;
	allow cros_rootdev {
	cros_chromeos_install
	cros_is_running_from_installer
	cros_os_install_service
	}:fifo_file rw_file_perms;

	allow cros_rootdev device:blk_file getattr;
	allow cros_rootdev sysfs:dir read;
	allow cros_rootdev sysfs:file read;
	allow cros_rootdev sysfs_dm:dir r_dir_perms;
	allow cros_rootdev sysfs_dm:file read;
	allow cros_rootdev sysfs_loop:dir search;
	allow cros_rootdev sysfs_loop:file read;